undefined | Better HN

0 pointsiforgotpassword2y ago0 comments

> That's why you grab their dockerfile and build it yourself.

Then you still didn't audit anything. What you need to do is inspect the docker file, follow everything it pulls in and audit that, finally audit the script itself that the whole container gets built for in the first place. Whereas when you just download the script and run that directly, you only need to do the last step.

0 comments

mook2y ago

Yeah, people don't seem to actually care. The Bitnami images were quite popular, but looking inside it they all just pull random tarballs from their server, and nothing seemed to indicate where those things came from.

beeboobaa2y ago

All of that is the same as a shell script, yes. A dockerfile is essentially just a glorified shell script installing dependencies, which you'd otherwise just be doing yourself.

coldtea2y ago

>Then you still didn't audit anything. What you need to do is inspect the docker file, follow everything it pulls in and audit that

You don't need to audit anything it pulls in INSIDE the container. Who cares? Just what kind of access it gives the container to the host.

stirfish2y ago

This sounds like fine a way to mine Bitcoin for someone else

coldtea2y ago

The whole point is that you checked that the container gets no access to the network.

Not to mention why wouldn't you let a shell script container keep running?

tomjakubowski2y ago

You can use quotas to mitigate that risk, and monitoring to discover it. You'd be monitoring CPU usage anyway, whether or not you build your own images or write your own Dockerfiles.

j / k navigate · click thread line to collapse

0 pointsiforgotpassword2y ago0 comments

> That's why you grab their dockerfile and build it yourself.

0 comments

mook2y ago

beeboobaa2y ago

All of that is the same as a shell script, yes. A dockerfile is essentially just a glorified shell script installing dependencies, which you'd otherwise just be doing yourself.

coldtea2y ago

>Then you still didn't audit anything. What you need to do is inspect the docker file, follow everything it pulls in and audit that

You don't need to audit anything it pulls in INSIDE the container. Who cares? Just what kind of access it gives the container to the host.

stirfish2y ago

This sounds like fine a way to mine Bitcoin for someone else

coldtea2y ago

The whole point is that you checked that the container gets no access to the network.

Not to mention why wouldn't you let a shell script container keep running?

tomjakubowski2y ago

You can use quotas to mitigate that risk, and monitoring to discover it. You'd be monitoring CPU usage anyway, whether or not you build your own images or write your own Dockerfiles.

j / k navigate · click thread line to collapse